Data Processing Rules

These Rules (the “Rules”) are issued by InHiro, a.s., with its registered office at Staré Grunty 12, 841 04 Bratislava, the Slovak Republic, ID No. 47 787 066, registered in the Commercial Register of District Court Bratislava I, Section Sa, Insert No. 5962/B (the “Data Processor”) and shall become an integral part of any Services Agreement (as defined below).

These Rules serve as a written commissioned data processing agreement between the Data Processor and each Data Controller providing Personal Data in connection with its use of the Service and furthermore defines the applicable technical and organizational measures that the Data Processor implements and maintains to protect Personal Data stored in respect of the Service. The written form of these Rules shall be deemed to be evidenced upon: (i) signing the Services Agreement in paper or electronic form by each of the Data Controller and the Data Processor or (ii) receipt of the Order Form and its acceptance by the Data Processor who shall attach its signature to the Order Form.

The Data Controller hereby declares that at the time of selecting the Data Processor, it took into consideration the Data Protector ́s professional, technological, organizational and personal skills and its competence to ensure security to processed Personal Data according to Section 19 (1) of the Data Protection Act (as defined below).

1. DEFINITIONS

The capitalized terms used in these Rules shall have the following meaning:

Data Protection Law means Data Protection Act and other applicable legislation protecting the fundamental rights and freedoms of persons and, in particular, their right to privacy, with regard to the processing of Personal Data by a data processor in the EEA.

Data Subject means any natural person whose personal data is processed by the Data Processor, for the purpose of providing Services to the Data Controller.

Information System has the meaning given in clause 2.2.

Order Form means any order issued by the Data Controller and addressed to the Data Processor on provision of the Services. The Order Form may be issued as (A) a signed original Order Form; (B) signed Order Form in pdf or similar format; (C) accepted Order Form using any electronic document signature tool to identify the issuer.

Personal Data means any information relating to an identified or identifiable natural person; an identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/ her physical, physiological, mental, economic, cultural or social identity, in particular: name, phone number, e-mail address, address data, date of birth, occupation of a Data Subject and/ or any Personal Data provided to the Data Processor by the Data Controller.

Service means the services provided by the Data Processor to the Data Controller in the form of a human resources management tool enabling companies to attract top job candidates via social networks.

Services Agreement means a contract concluded between the Data Processor and the Data Controller on provision of the Services that refers to these Rules.

2.2 The information system called www.inhiro.com servers of which are located at the territory of the Slovak Republic or any other domain owned by the Data Processor (the “Information System”) shall be used to process Personal Data by the Data Processor.

2.3 The Data Processor will be authorized to process Personal Data on behalf of the Data Controller as of the day the Data Controller uploads Personal Data into the Information System.

3. OBLIGATIONS OF THE DATA PROCESSOR

3.1 The Data Processor shall process Personal Data only in accordance with the Data Controller’s instructions. The Data Processor shall use reasonable commercial efforts to follow and comply with the instructions received from the Data Controller as long as they are legally required and technically feasible and do not require any material modification to the functionality of the Service or underlying software. Data Processor shall notify the Data Controller if it considers an instruction submitted by the Data Collector to be in violation of the Data Protection Law. The Data Processor shall not be obliged to perform a comprehensive legal examination. If and to the extent the Data Processor is unable to comply with an instruction it shall promptly notify (email permitted) Data Controller hereof.

3.2 For processing Personal Data, Data Processor and its Sub-processors shall only use personnel who are subject to a binding obligation to observe data secrecy or secrecy of telecommunications, to the extent applicable, pursuant to the applicable Data Protection Law. Data Processor shall itself and shall require that its Sub-processors regularly train individuals to whom they grant access to Personal Data in data security and data privacy.

3.3 The Data Processor shall implement and maintain appropriate technical and organizational measures to keep all Personal Data secure and shall protect it against unauthorized and unlawful processing by third parties and accidental loss, destruction or damage.

3.4 Data Processor shall promptly inform the Data Controller as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any security breach in connection with the processing of Personal Data which, in each case, may significantly harm the interest of the Data Subjects concerned. However, the Data Processor shall have no such notification obligations towards the Data Subjects and it is the sole responsibility of the Data Controller to communicate towards the Data Subjects.

3.5 At Data Controller’s expense, Data Protection shall reasonably support Customer or other Data Controllers in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the processing of Personal Data hereunder.

4. OBLIGATIONS OF THE DATA CONTROLLER

4.1 The Data Controller is obligated to obtain the Data Subjects signed written consent with the processing of his/ her Personal Data by the Data Processor.

4.2 The Data Controller hereby represents, warrants and undertakes that (i) it will not submit in to the Information System any Personal Data obtain in contrary with the Data Protection Law or any other applicable law (ii) it will promptly remove from the Information System any Personal Data in respect of which the Data Controller has lost the authorisation to process such data (e.g. due to termination of the data processing purpose or revocation of the consent by the Data Subject).

4.3 The Data Controller agrees and undertakes repay the Data Processor any damages, costs and expenses, including costs and attorneys ́ fees, resulting from any claim or demand made by any third party due to or arising out of (a) the Data Controller’s breach of the Data Protection Law, mainly breach of the Data Controller’s obligation to obtain the Data Subjects consent to process his/ her Personal Data, and (b) any breach of these Rules.

5. INTERNATIONAL TRANSFER OF DATA

5.1 Under the Services Agreement, the Data Controller may instruct and the Data Processor shall transfer Personal Data to a country or territory outside the EEA only if (a) the country or territory in which the recipient operates has been found to ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission and subject to the restrictions of any such determination and (b) it has communicated with the Data Subjects information set- out in Section 15 of the Data Protection Act.

6. SUB-PROCESSORS

6.1 The Data Processor may authorize a third party (the “Sub-processor”) to process Personal Data to the extent necessary for fulfilling its obligation arising from the Services Agreement.

6.2 The Data Processor remains responsible for any acts or omissions of its Sub-processors in the same manner as for its own acts or omissions hereunder.

7. CONFIDENTIALITY

7.1 A party to the Services Agreement (Recipient) undertakes to the other party to the Services

Agreement (Disclosing Party) to treat as confidential all information having a sensitive nature 3

(including the Personal Data) that has been obtained from the Disclosing Party in respect of provision of the Services (Confidential Information).

7.2 The Recipient may only use the Confidential Information of the Disclosing Party for the purposes of and in accordance with Services Agreement. The Recipient may provide its its employees, directors, subcontractors and affiliates (Permitted Users) with access to the Confidential Information of the Disclosing Party on a strict “need-to-know” basis only. The Recipient shall ensure that each of Permitted Users is bound to hold all Confidential Information of the Disclosing Party in confidence to the standard required under these Rules. Where a Permitted User is not an employee or director of the Recipient or is not under a professional duty to protect confidentiality, the Recipient shall ensure that the Permitted User shall enter into a written confidentiality undertaking with the Recipient on substantially equivalent terms to these Rules, a copy of which shall be provided to the Disclosing Party upon request.

7.3 This clause 7 shall not apply to any Confidential Information which:

(a) is in or subsequently enters the public domain other than as a result of a breach of this clause 7;
(b) has been or is subsequently received by the Recipient from a third party which is under no confidentiality obligation in respect of that information; or
(c) has been or is subsequently independently developed by the Recipient, or where the Recipient.

7.4 Each Permitted User may disclose the Disclosing Party’s Confidential Information where that Permitted User (or where the Permitted User is an individual, his or her employer or any affiliate of his or her employer) is required to do so by law or by any competent regulatory authority. In these circumstances the Recipient shall give the Disclosing Party prompt advance notice in writing of the disclosure (where lawful and practical to do so) so that the Disclosing Party has sufficient opportunity (where possible) to prevent or control the manner of disclosure by appropriate legal means.

8. GENERAL

8.1 These Rules shall apply during the whole term of the Services Agreement and may only be amended or restated in accordance with the terms set out in the Services Agreement.

8.2 These Rules shall be governed by and construed in accordance with the laws of Slovak Republic and the parties shall submit to the exclusive jurisdiction of the Slovak courts.

8.3 If any provision of these Rules is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions of these Rules, and all provisions not affected by such invalidity shall remain in full force and effect.